Juju vault causing problems when deploying openstack/base on maas and charmed-kubernetes

Question

I have deployed openstack/base on MaaS as indicated here. After I tried to deploy charmed-kubernetes with an openstack-integrator and vault overlay, I cannot perform openstackclient commands on the maas node and the images uploaded to the dashboard are not recognized, that means, the ubuntu charms cannot be deployed. When I do, for example,

openstack catalog list

I get

Failed to discover available identity versions when contacting https://keystone_ip:5000/v3. Attempting to parse version from URL. SSL exception connecting to https://keystone_ip:5000/v3/auth/tokens: HTTPSConnectionPool(host='keystone_ip', port=5000): Max retries exceeded with url: /v3/auth/tokens (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1108)')))

However, when I ssh into the keystone container, there is a keystone_juju_ca_cert.crt which has as

Issuer: CN = Vault Root Certificate Authority (charm-pki-local)

and as

Subject: CN = Vault Root Certificate Authority (charm-pki-local)

I have also tried to reissue the certificates and refresh the secrets through actions in the vault application, but to no avail.

Can somobody help me here ?

Answer 1

I don't know anything about juju or openstack, but it looks to me like the problem isn't on the keystone container, but on your local machine (or wherever you are running this openstack catalog list command. The local machine doesn't appear to have the charm-pki-local CA certificate installed, so it can't verify the connection to the keystone server.

Answer 2

You need to get root ca from vault using juju and then reference that file in openrc file as OS_CACERT environment variable